June 8, 2022 • 4 MIN READ

Weaknesses in the Bank and PSP Security: How to Stay Protected

Bank & PSP Security How to Stay Protected_Blog.png

In 2021, the level of payment fraud in the field of fintech increased by 70%. Let's see what the situation looks like now!

Security is what most modern internet developments are trying to provide to users. It is hardly likely that the user will agree to send their personal data to a system that is unreliable or insecure. The purpose of information security is to protect users’ data and support infrastructure from accidental or intentional interference. Let's see what the situation looks like now.

Is Fraud Evolving?

According to a study by SIFT, in 2021, the level of payment fraud in the field of fintech increased by 70%; thus, the number of attacks is the highest in the entire network. If we study the report in detail, we will see the main reasons for these attacks were the growing popularity of the digital finance sector and potentially large amounts of theft. The attacks were primarily aimed at non-traditional finance, such as digital wallets with a 200% increase in payment fraud, as well as payment service providers with more than 169% rise and cryptocurrency exchanges with a 140% increase.

With the development of technology, new ways to commit fraud have appeared. Some hackers use deception, persuasion, fake mailings, hacking locks, and exploiting system vulnerabilities in banks and PSP systems. If before, the trend for false calls “from the bank” and methods of dealing with them were common knowledge, now the new, more complex, and confusing schemes of deception are exacerbating the problem.

What Are the Common Vulnerabilities?

As mentioned above, hackers are trying to exploit flaws in the system, bypass security measures, and get inside processes on the network. Let's figure out how exactly such data leaks occur.

Weak Encryption

Weak encryption is most often associated with security keys of insufficient length, which can be hacked by the selection method. One-factor authentication is also an unreliable data protection mechanism. 

We are used to banks and large financial organizations being reliable and having secure systems, but they also have bugs that make the network sensitive. Banks may have a simplified algorithm for logging in, uploading data to servers or cloud storage, or no mechanism at all for checking for the presence of the root rights.

The most common flaw is that the authentication data is stored in the application code openly, which means that anyone can access it. But why do bank apps save the data in such a way? Simply put, it’s connected with the deep-links technology integration. It provides users with the opportunity to access any link via app or website, which is convenient but not safe. Hackers get the opportunity to penetrate the protected sector of the application.

Lack of Strict Requests Validation 

A common vulnerability on the bank's side is the lack of strict validation of requests from the mobile application to the bank's servers. As a result, hackers can gain access to users’ funds using fake certificates. Since there is no ban on certificates or their validation, the bank will consider the request legitimate and send money to fraudsters.

User Authentication

Another major risk of mobile banking applications is the operating system. There is no two-factor authentication, so a user doesn’t need a PIN or SMS code to validate the transaction. User and transfer verification remain the weakest points in bank apps. 

Passwords and Third-Party Apps

A fairly typical case is when fraudsters pose as the bank's security service and ask the victim to give a password and SMS code. So they get full access to the victim's money. 

Distributed Denial-of-Service (DDoS) Attacks 

The principle of the DDoS attack is that a server falls under an incessant bombardment of empty requests distributed over a large area. There can be thousands of such requests and more. Due to server overload, it doesn’t understand which request is legitimate and which is not, so hackers use it to divert the attention of the banks' security services. Currently, there are attempts to develop products that effectively resist DDoS.


Phishing or data theft is often carried out through fake sites that are copies of those familiar to the user but send the entered data not to the bank or payment system but to hackers. The main reason that people fall for phishing is ignorance of internet security.

How to Stay Protected 

To minimize the risk, you need to follow the basic rules:

  • Don’t disclose personal information. Even if you are told that the call is from the bank - hang up and call the bank back. Ignore or double-check suspicious calls or messages from the bank.
  • Don’t store financial, authentication, and personal data directly on a mobile device. 
  • Don’t use too simple and repetitive passwords.
  • Don’t download third-party applications.
  • Don’t carry a recorded PIN code next to the card. Enable alerts about operations and set spending limits.
  • Keep secret the codes from SMS and PUSH notifications, the PIN code of the card, security questions, personal data, and card data, including the expiration date and the three-digit code. 
  • Know the phone number of your bank.
  • Immediately contact the bank and block the card if you have lost it. 
  • Contact the bank and the police if your money has been stolen.
  • If your mobile phone is lost, block the application and SIM card by contacting the bank and your mobile operator. 
  • Carefully monitor which application has open access to the data and don’t give unnecessary permissions.
  • Check the link when you access the website to avoid fakes. 

Transaction Security with Payrow

To ensure the security of transactions, Payrow has implemented the new 3d secure v.2 protocol. The new protocol provides users with fast, simple, and convenient authentication and transfers data over a highly secure channel. Thanks to 3d secure v.2, we simplified and sped up the process of transactions. If the customer uses the same data to confirm the transaction, codes, and geo-location, authentication becomes easier and faster.

What’s more? We have made the payment process adaptive for mobile browsers and applications. The user can easily go through the authentication process directly in the application and can approve transactions without manual input since the system automatically fills in the code by reading the data from the SMS. We have also included additional authentication options like security tokens and biometric data. 

Make your payments secure with Payrow!